Meltdown and Spectre CPU Vulnerabilities: What You Need to Know

NOTE: Microsoft released Security Advisory 18002 on Wednesday, January 3, 2018 to mitigate a major vulnerability to Windows in modern CPU architectures. ESET released Antivirus and Antispyware module 1533.3 the same day to all customers to ensure that use of our products would not affect compatibility with Microsoft’s patch.

Background

The first few days of 2018 have been filled with anxious discussions concerning a widespread and wide-ranging vulnerability in the architecture of processors based on Intel’s Core architecture used in PCs for many years, and also affecting ARM processors commonly used in tablets and smartphones.

At the time of this writing, not all details have been released, but reportedly the issue is that programs running in user-mode address space (the “normal” range of memory in which application software, games and the like run) on a computer can infer or “see ” some of the information stored in kernel-mode address space (the “protected” range of memory used to contain the operating system, its device drivers, and sensitive information such as passwords and cryptography certificates).

Fixes to prevent user-mode programs from “peering inside” kernel-mode memory are being introduced by operating system vendors, hypervisor vendors and even cloud computing companies, but it appears the initial round of patches will slow down operating systems to some extent. The exact amount of slowdown is open to debate. Intel has stated the performance penalty will “not be significant” for most users, but Linux enthusiast site Phoronix has benchmarked performance penalties from 5-30%, depending upon what the computer is doing.

History

A long Reddit thread titled Intel bug incoming has been tracking the vulnerability since information about it began to appear on January 2, 2018; Ars Technica and The Register have had excellent coverage, as well.

The Microsoft article goes on to note that this is not a Windows-specific issue, and that it affects Android, Chrome OS, iOS and macOS as well. Red Hat‘s advisory includes IBM’s POWER architecture as being vulnerable. Hypervisor manufacturers VMware and Xen have issued their own advisories, as has as Amazon Web Services.

Affected Vendors

Here is a list of affected vendors and their respective advisories and/or patch announcements:

Technical Details

The confusion over brands of affected CPUs may be due to the fact that this is not one vulnerability, but two similar vulnerabilities, dubbed Meltdown and Spectre by their respective discoverers. These vulnerabilities have three CVE numbers (a quasi-government standard for tracking computer security vulnerabilities and exposures) assigned to them:

CVE Number

Description

CVE-2017-5715

Branch Target Injection, exploited by Spectre

CVE-2017-5753

Bounds Check Bypass, exploited by Spectre

CVE-2017-5754

Rogue Data Cache Load, exploited by Meltdown

For many years, processor manufacturers – such as Intel –have been able to fix flaws in processor architecture through microcode updates, which write an update to the processor itself to fix a bug. For a – so far unannounced – reason or reasons, this vulnerability may not be not fixable this way in Intel processors, so instead, operating system manufacturers have collaborated with Intel to release patches for the vulnerabilities.

ESET’s Response

As mentioned at the beginning of the article, ESET released Antivirus and Antispyware module update 1533.3 on Wednesday, January 3, 2017, to all customers to ensure compatibility with Microsoft’s updates to the Windows operating systems. ESET is working alongside hardware and software vendors to mitigate the vulnerabilities posed by the vulnerabilities.

Answer: Any computer using Intel processors which have been made starting in 1995 till currently are potentially affected. This means any Linux, Windows or Mac computers which have Intel processors.

Question: Which operating systems have been patched to address the Meltdown exploit?

Answer: At this time, Linux and Microsoft have released patches. Microsoft released a Windows 10 patch available for download on 1/3/2018. Windows 7 and 8 patches will be available on Microsoft Patch Tuesday 1/9/2018. ESET has already made itself compatible with these patches. You should also be aware that Web browsers have also released patches. Firefox, Internet Explorer and Edge have already made patches available to their automatic updates. Chrome will be releasing their patch on January 23rd. Also, you should keep a watch on your computer manufacturer’s site for any firmware updates to address the Meltdown exploit.

Spectre

Question: Which operating systems are affected by Spectre?

Answer: Any computer using Intel, AMD, or ARM processors are potentially affected.

written by Aryeh Goretsky, ESET We Live SecuritySpecial thanks to my colleagues Tony Anscombe, Richard B, Bruce P. Burrell, Nick Fitzgerald, David Harley, Elod K., James R., and Marek Z. for their assistance in preparing this article.

RSS Feed

Follow Us on Twitter

ESET Ireland

ESET develops software solutions that deliver instant, comprehensive protection against evolving computer security threats. We pioneered and continue to lead the industry in proactive threat detection. ESET NOD32® Antivirus, our flagship product, consistently achieves the highest accolades in all types of comparative testing and is the foundational product that builds out the ESET product line to include ESET Smart Security